Privacy Shield ‘oceans apart’ from Safe Harbour

Ross McKenzie

Lawyers have cautiously welcomed the new regime governing the transfer of personal data between the EU and the US.

The rules on “Privacy Shield”, the replacement for the defunct “Safe Harbour”, were published yesterday by the European Commission, with Estonian vice-president, Andrus Ansip saying “both sides of the Atlantic work to ensure that the personal data of citizens will be fully protected and that we are fit for the opportunities of the digital age”.

Privacy Shield retains the self-certification for compliance that was part of Safe Harbour’s downfall, though one lawyer said this is mitigated by the fact the new regime now has “teeth”.

Daradjeet Jagpal, an associate at Harper Macleod said Privacy Shield was “oceans apart” from Safe Harbour.

He added: “The underlying model remains the same, with US organisations being required to annually self-certify to the US Department of Commerce their adherence to a core set of enhanced privacy principles and publicise their compliance in publicly available privacy policies.

“However, most importantly, the Privacy Shield now has “teeth”. EU individuals can now raise complaints concerning the handling of their personal data directly with the US organisations concerned.”

“Complaints can also be filed with a Privacy Shield Panel, comprising twenty arbitrators selected by the US Department of Commerce and the European Commission, who are able to provide non-financial relief to affected EU individuals.”

Ross McKenzie, a data protection specialist at Burness Paull meanwhile urged caution at this stage and noted Privacy Shield is still only one channel among others for transferring data.

He told Scottish Legal News that “the new Privacy Shield is generally seen as improving privacy protections for data transfers between EU and US companies. However we are still some way off before we can really advise on how transfers will be handled. This is because the EU Commission’s text needs to be evaluated by the European Data Protection Supervisor before formal adoption. ”

“We then have the practicalities of compliance and enforcement if adopted. Companies that rely on the Privacy Shield to handle data transfers will need to certify compliance annually. Companies can be dropped off the list for failing to comply which means businesses will need to engage far more on privacy compliance to ensure they retain their certification – which can only be a good thing for the privacy of our personal information, but will involve a lot more work for US companies.”

“We also need to keep in mind that the Privacy Shield is only one method to transfer personal data from Europe to the US. A number of other options exist that can be used to legitimately transfer personal data which are still valid. However it is likely that the Privacy Shield discussions will influence these other routes for compliance in time.”

Share icon
Share this article: